Start a new topic

How to verify a password

I have a user settings form on my web application (Angular) and I want to require the user (already logged in) to type their password before performing certain irreversible actions. Is there a way to check a user's credentials without calling 'login'?

Hi, I do not believe that there is a "native" way to re-verify credentials after the initial login without interrupting the logged-in status of the user, since communication with Kinvey beyond that point occurs using the access token generated by the original login. However, one way to verify the user's password would be to submit a REST request (for example, to the `_me` endpoint, as mentioned in http://devcenter.kinvey.com/rest/guides/users#Requiredheaders4), and authenticate this request using [basic auth](http://devcenter.kinvey.com/rest/guides/security#basicauthentication) with the user's username and password.
I ended up writing a custom Angular service to call the REST API, as you suggested. The problem is that if my Basic Auth header fails, the Kinvey server responds with a 401 status. Most browsers automatically present a user auth popup window upon receiving a 401, to give the user a second shot at entering in the right creds. Besides just being confusing from a UX perspective, the browser behavior prevents my response handler from firing.



I can't change the server behavior a la http://stackoverflow.com/questions/9859627/how-to-prevent-browser-to-invoke-basic-auth-popup-and-handle-401-error-using-jqu



Anyone have any ideas for a workaround?



Thanks!
It sounds like you're using jQuery.ajax to send your request -- if you use angular's $http, you should be able to handle the 401.
Ah! Sorry. My mistake before - my callback is being called and I am using $http. I still can't prevent Safari from popping up the login credentials window when it gets a 401, though.
Hi @tnbeatty‌



I think your best option here might be to use a [response interceptor](https://docs.angularjs.org/api/ng/service/$http#interceptors) to handle the 401 error. Something along the lines of...



```

angular.module('app').factory('intercept401Errors', function($q) {

return {

responseError: function(rejection) {

if (rejection.status === 401) {

// handle the 401 error as you wish

} else {

return $q.reject(rejection);

}

}

};

}).configure(function($httpProvider) {

return $httpProvider.interceptors.push('intercept401Errors');

});

```



Let me know if this works out for you.





Pete
Pete-



Thanks for the suggestion! It was definitely a good thought, but ultimately didn't work because the browser responds before the rejection is caught.



I have done some more research into this and it seems that it can only be fixed (and has been fixed by most devs) server-side. I will figure out a workaround! I'll also post some pared-down code to Github when I have a chance over the weekend so the problem is reproducible on your end. I would still be curious if we can find a solution!



Nate
Hi Nate, if there is absolutely no way to supress the authentication popup, have you considered creating a custom business logic endpoint which accepts a username and password as parameters, and uses the request module to try and authenticate the user through the REST API? the endpoint could then return a boolean value indicating whether the user's credentials are correct.
Login or Signup to post a comment